This detection rule monitors for reconnaissance activities by adversaries attempting to identify system users on Windows environments. The rule specifically looks for commands associated with discovering primary and currently logged-in users, as well as commonly used accounts on a system. The logic utilizes Splunk to track the execution of specific commands such as 'whoami', 'useraccount', 'quser', and 'qwinsta.exe'. If these commands are executed in a short period, it triggers an alert, indicating potential malicious intent to gather user-related information. The detection is particularly relevant for known threat actors such as Alloy Taurus / Gallium, APT28 / Fancy Bear, and FIN8 who may utilize these tactics for further exploitation and systematic attacks. By leveraging Windows event logs and process command-line parameters, this rule aids in identifying potential system owner and user discovery activities, allowing for timely response actions to safeguard the environment.